netwire | 9dd9dcea8897935e1ad2495d33b9236228dac772ca825cc67c90938bb29aa419

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proof Of Payment.exe
Size

1021KB
MD5

121b665f158aa269dfdd6d701c4af31d
SHA1

81b94a9e9af1258dd5074adc7077c0fca2de7e79
SHA256

9e1de81ecb080a9d970953a62de72b6a83cc61776409098f1429c11032cbfa14
SHA512

af293c732eea9d928e9bcfefc35fbee68ad3af3392503dd3d051ef9dc54df630f6a5a965d364f255c9c25a19465e58ed630edc644eed99c370924aec837b5b68

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1544-67-0x0000000000220000-0x0000000000845000-memory.dmp	netwire
behavioral1/memory/1544-68-0x0000000000222BCB-mapping.dmp	netwire
behavioral1/memory/1544-72-0x0000000000220000-0x0000000000845000-memory.dmp	netwire
behavioral1/memory/1544-73-0x0000000000220000-0x0000000000845000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

pptbga.pifRegSvcs.exe

pid process

1004 pptbga.pif
1544 RegSvcs.exe
Loads dropped DLL 5 IoCs

Processes:

Proof Of Payment.exepptbga.pif

pid process

684 Proof Of Payment.exe
684 Proof Of Payment.exe
684 Proof Of Payment.exe
684 Proof Of Payment.exe
1004 pptbga.pif

pid	process
684	Proof Of Payment.exe
684	Proof Of Payment.exe
684	Proof Of Payment.exe
684	Proof Of Payment.exe
1004	pptbga.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pptbga.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	pptbga.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\22643517\\pptbga.pif 0\\22643517\\orktcam.foo"	pptbga.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

pptbga.pif

description pid process target process

PID 1004 set thread context of 1544 1004 pptbga.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1004 set thread context of 1544	1004	pptbga.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pptbga.pif

pid	process
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif
1004	pptbga.pif

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Proof Of Payment.exepptbga.pif

description	pid	process	target process
PID 684 wrote to memory of 1004	684	Proof Of Payment.exe	pptbga.pif
PID 684 wrote to memory of 1004	684	Proof Of Payment.exe	pptbga.pif
PID 684 wrote to memory of 1004	684	Proof Of Payment.exe	pptbga.pif
PID 684 wrote to memory of 1004	684	Proof Of Payment.exe	pptbga.pif
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe
PID 1004 wrote to memory of 1544	1004	pptbga.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\22643517\pptbga.pif
"C:\Users\Admin\22643517\pptbga.pif" orktcam.foo
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\22643517\kafxg.log
Filesize
316KB

MD5
44edc15f20d20f4b425f033cc387c165

SHA1
5e7a2ac4953cd0b23b8fee744b63104dfe346427

SHA256
eb1ccd0b6b3494951dc1046e417d9a5c695c17b0eba57800bef5b19d6d0cb3cb

SHA512
c204c8ce99f06568e1c9578c1c8b48ebab55e030617b17d007f4e77ab83aca71870411def521aa97e65958d5b3d82589c11a1b08d24e3af87d7573fc7f92e0fc

Download Submit
C:\Users\Admin\22643517\orktcam.foo
Filesize
155.4MB

MD5
7cb2ccd674dc1d18b2082f00ae7e5bd7

SHA1
b4bdafe2f36f93ce5dd6534944ac07ac821d7322

SHA256
0ccab4907ee3d12de4a40e74ea7197d7d16dab37ef4f0ee740c9b75e23cd555c

SHA512
9149f6a91fea98234fdf57a3ae578f530b002e74f7a99b9b9b74ac1cb388d1087905ad05775b26ddfbd1327174a7fe8fe1bc1d674f59769000879e1d8c07a11a

Download Submit
C:\Users\Admin\22643517\pptbga.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\22643517\pptbga.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\22643517\pptbga.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\22643517\pptbga.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\22643517\pptbga.pif
Filesize
910KB

MD5
503fbeaa015418e1a57880f8a0306d43

SHA1
bd05b27424688e8d8aad7f99ea0d6aa1efbbe8a0

SHA256
ad6a04f8a27507d42f7aa6a668d4892352142be6701ea83b2e0d49d222b586f9

SHA512
17367cdcf5db8d9ca23d8b20a02bcc9e4880a2d62cf1be13eed2b7ccb8848acd50c194f2b864e655dde9ff1e9e9e14412b04d40ce4749bd2e68fdaba9bd29900

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/684-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1004-59-0x0000000000000000-mapping.dmp

Download
memory/1544-65-0x0000000000220000-0x0000000000845000-memory.dmp

Filesize
6.1MB

Download
memory/1544-67-0x0000000000220000-0x0000000000845000-memory.dmp

Filesize
6.1MB

Download
memory/1544-68-0x0000000000222BCB-mapping.dmp

Download
memory/1544-72-0x0000000000220000-0x0000000000845000-memory.dmp

Filesize
6.1MB

Download
memory/1544-73-0x0000000000220000-0x0000000000845000-memory.dmp

Filesize
6.1MB

Download